On Fri, Jan 19, 2018 at 08:30:17AM +0530, Varsha Rao wrote:
> The following macros check if particular C types in specific header file
> exists, these header files defines them and are already included in the
> source code. So, remove them.
>
> AC_HEADER_STDBOOL - stdbool.h
> AC_TYPE_INT and
On Fri, 19 Jan 2018, Pablo Neira Ayuso wrote:
> Several reasons for this:
>
> * Several modules maintain internal version numbers, that they print at
> boot/module load time, that are not exposed to userspace, as a
> primitive mechanism to make revision number control from the earlier
>
Mention nftables earlier in the documentation, so users have more context on
what
we are talking about.
This is Debian bug #887718, which contains:
<<<
Currently one must read down 100 lines before it is even mentioned.
You might want to make the connection between "nft" and "nftables" as
early
On Fri, Jan 19, 2018 at 01:17:47PM +0100, Arturo Borrero Gonzalez wrote:
> Mention nftables earlier in the documentation, so users have more context on
> what
> we are talking about.
>
> This is Debian bug #887718, which contains:
>
> <<<
> Currently one must read down 100 lines before it is
On Mon, Jan 08, 2018 at 12:09:17AM +0900, Taehee Yoo wrote:
> The goal of this patch set are to use the ASN.1 decoder library
> to parse SNMP ASN.1 payload.
Thanks, I'm going to apply to nf-next.
I've been postponing this to schedule time to test this intensively,
but I've been failing to find
On Tue, Jan 16, 2018 at 02:51:01PM +, Luis de Bethencourt wrote:
> The trailing semicolon is an empty statement that does no operation.
> Removing it since it doesn't do anything.
Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message
On Tue, Jan 16, 2018 at 12:45:32AM +0300, Alexey Dobriyan wrote:
> /proc has been ignoring struct file_operations::owner field for 10 years.
> Specifically, it started with commit 786d7e1612f0b0adb6046f19b906609e4fe8b1ba
> ("Fix rmmod/read/write races in /proc entries"). Notice the chunk where
>
On Tue, Jan 16, 2018 at 05:19:57PM +0100, Phil Sutter wrote:
> This removes libnftables pkg-config file along with the few lines of
> code to adjust and install it.
Applied, thanks Phil.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Several reasons for this:
* Several modules maintain internal version numbers, that they print at
boot/module load time, that are not exposed to userspace, as a
primitive mechanism to make revision number control from the earlier
days of Netfilter.
* IPset shows the protocol version at
Pablo Neira Ayuso wrote:
> Several reasons for this:
>
> * Several modules maintain internal version numbers, that they print at
> boot/module load time, that are not exposed to userspace, as a
> primitive mechanism to make revision number control from the earlier
>
On Tue, Jan 16, 2018 at 09:50:13PM +0530, Shyam Saini wrote:
> This patch adds test cases for iptables to nft translation of cluster match
> This adds all test cases including corner cases.
>
> Run these test cases like:
>
> $ ./xlate-test.py extensions/libxt_cluster.txlate
Applied,
On Thu, Jan 18, 2018 at 05:25:12PM -0600, Gustavo A. R. Silva wrote:
> Return statements in functions returning bool should use
> true/false instead of 1/0.
>
> These issues were detected with the help of Coccinelle.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe
Otherwise netlink dump sends uninitialized fields to userspace.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index
This patch add code to allocate unique object handles and delete objects
via those unique object handles.
Signed-off-by: Pablo Neira Ayuso
---
@Harsha: Only this one missing, I quickly made it here.
include/net/netfilter/nf_tables.h| 2 ++
On 19 January 2018 at 13:47, Pablo Neira Ayuso wrote:
> Several reasons for this:
>
> * Several modules maintain internal version numbers, that they print at
> boot/module load time, that are not exposed to userspace, as a
> primitive mechanism to make revision number
From: Wei Yongjun
Signed-off-by: Wei Yongjun
Signed-off-by: Pablo Neira Ayuso
---
net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 -
net/netfilter/nf_queue.c| 2 --
2 files changed, 3 deletions(-)
diff --git
Several reasons for this:
* Several modules maintain internal version numbers, that they print at
boot/module load time, that are not exposed to userspace, as a
primitive mechanism to make revision number control from the earlier
days of Netfilter.
* IPset shows the protocol version at
From: Ahmed Abdelsalam
It allows matching packets based on Segment Routing Header
(SRH) information.
The implementation considers revision 7 of the SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
Currently supported match options include:
From: Florian Westphal
The clusterip target needs to register an arp mangling hook,
so make sure NF_ARP hooks are available.
Fixes: 2a95183a5e ("netfilter: don't allocate space for arp/bridge hooks unless
needed")
Reported-by: kernel test robot
From: Arnd Bergmann
The newly added NF_FLOW_TABLE options cause some build failures in
randconfig kernels:
- when CONFIG_NF_CONNTRACK is disabled, or is a loadable module but
NF_FLOW_TABLE is built-in:
In file included from net/netfilter/nf_flow_table.c:8:0:
EEXIST is used for an object that already exists, with the same
name/handle. However, there no same object there, instead there is a
object that is using the single slot that is available for NAT hooks
since patch f92b40a8b264 ("netfilter: core: only allow one nat hook per
hook point"). Let's
Remove the infrastructure to register/unregister nft_af_info structure,
this structure stores no useful information anymore.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 23 +--
net/bridge/netfilter/nf_tables_bridge.c | 25 +--
From: Wei Yongjun
Fix a typo, we should check 'flowtable' instead of 'table'.
Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
Signed-off-by: Wei Yongjun
Signed-off-by: Pablo Neira Ayuso
---
From: Taehee Yoo
Remove comments that do not let us know important information.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_nat_snmp_basic.c | 30 --
1 file
Pass family number instead, this comes in preparation for the removal of
struct nft_af_info.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 16 +++-
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c
From: Florian Westphal
a typo causes module auto load support to never be compiled in.
Fixes: 03d13b6868a2 ("netfilter: xtables: add and use
xt_request_find_table_lock")
Reported-by: Pablo Neira Ayuso
Signed-off-by: Florian Westphal
Place all existing user defined tables in struct net *, instead of
having one list per family. This saves us from one level of indentation
in netlink dump functions.
Place pointer to struct nft_af_info in struct nft_table temporarily, as
we still need this to put back reference module reference
Replace it by a direct check for the netdev protocol family.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 6 --
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nf_tables_netdev.c | 1 -
3 files changed, 1 insertion(+), 8 deletions(-)
nf_tables_table_enable() and nf_tables_table_disable() take a pointer to
struct nft_af_info that is never used, remove it.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 21 ++---
1 file changed, 6 insertions(+), 15 deletions(-)
diff
We already validate the hook through bitmask, so this check is
superfluous. When removing this, this patch is also fixing a bug in the
new flowtable codebase, since ctx->afi points to the table family
instead of the netdev family which is where the flowtable is really
hooked in.
Signed-off-by:
From: Taehee Yoo
To see debug message of nf_nat_snmp_basic, we should set debug value
when we insert this module. but it is inconvenient and only using of
the dynamic debugging is enough to debug.
This patch just removes debug code. then in the next patch, debugging code
From: Taehee Yoo
The basic SNMP ALG parse snmp ASN.1 payload
however, since 2012 linux kernel provide ASN.1 decoder library.
If we use ASN.1 decoder in the /lib/asn1_decoder.c, we can remove
about 1000 line of ASN.1 parsing routine.
To use asn1_decoder.c, we should write mib
Otherwise netlink dump sends uninitialized fields to userspace.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index
From: Alexey Dobriyan
/proc has been ignoring struct file_operations::owner field for 10 years.
Specifically, it started with commit 786d7e1612f0b0adb6046f19b906609e4fe8b1ba
("Fix rmmod/read/write races in /proc entries"). Notice the chunk where
inode->i_fop is initialized
From: Subash Abhinov Kasiviswanathan
ipv6_defrag pulls network headers before fragment header. In case of
an error, the netfilter layer is currently dropping these packets.
This results in failure of some IPv6 standards tests which passed on
older kernels due to the
Now that we have a single table list for each netns, we can get rid of
one pointer per family and the global afinfo list, thus, shrinking
struct netns for nftables that now becomes 64 bytes smaller.
And call __nft_release_afinfo() from __net_exit path accordingly to
release netnamespace objects
From: Wei Yongjun
Fixes the following sparse warning:
net/netfilter/core.c:380:6: warning:
symbol '__nf_unregister_net_hook' was not declared. Should it be static?
Signed-off-by: Wei Yongjun
Signed-off-by: Pablo Neira Ayuso
From: Harsha Sharma
This patch allows deletion of objects via unique handle which can be
listed via '-a' option.
Signed-off-by: Harsha Sharma
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h
From: Subash Abhinov Kasiviswanathan
conntrack defrag is needed only if some module like CONNTRACK or NAT
explicitly requests it. For plain forwarding scenarios, defrag is
not needed and can be skipped if NOTRACK is set in a rule.
Since conntrack defrag is currently
From: Taehee Yoo
Use nf_ct_helper_log to write log message.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_nat_snmp_basic.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
From: Arnd Bergmann
Without CONFIG_NF_FLOW_TABLE, the new nft_flow_offload module produces
a link error:
net/netfilter/nft_flow_offload.o: In function
`nft_flow_offload_iterate_cleanup':
nft_flow_offload.c:(.text+0xb0): undefined reference to `nf_flow_table_iterate'
From: Arnd Bergmann
As a side-effect of adding the module option, we now get a section
mismatch warning:
WARNING: net/ipv4/netfilter/iptable_raw.o(.data+0x1c): Section mismatch in
reference from the variable packet_raw to the function
.init.text:iptable_raw_table_init()
The
From: Florian Westphal
request_module may return a positive error result from modprobe,
if we cast this to ERR_PTR this returns a garbage result (it passes
IS_ERR checks).
Fix it by ignoring modprobe return values entirely, just retry the
table lookup instead.
Reported-by:
From: Arnd Bergmann
We cannot access the skb->_nfct field when CONFIG_NF_CONNTRACK is
disabled:
net/ipv4/netfilter/nf_defrag_ipv4.c: In function 'ipv4_conntrack_defrag':
net/ipv4/netfilter/nf_defrag_ipv4.c:83:9: error: 'struct sk_buff' has no member
named '_nfct'
From: Taehee Yoo
The snmp_translate() receives ctinfo data to get dir value only.
because of caller already has dir value, we just replace ctinfo with dir.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: e55311665286ab2744295575948c2b08dc001bf3
commit: 3ecbfd65f50e5ff9c538c1bfa3356ef52cc66586 [27/32] netfilter: nf_tables:
allocate handle and delete objects via handle
reproduce:
# apt-get install
Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects
via handle")
Signed-off-by: Fengguang Wu
---
nf_tables_api.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c
With a previously valid configuration, which "includes" files into the
main configuration, I get error messages with the HEAD of master on
January 16, 2018 9afd72a883e391e366a1d75bb4e1705357e078e9
systemd[1]: Starting nftables...
apu.allycomm.com nft[31431]: In file included from
On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote:
> On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote:
> > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote:
> > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote:
> > > > On Wed, Jan 17, 2018 at
49 matches
Mail list logo